Problem

Request parameters handled by Struts 2 are effectively treated as OGNL expressions. A possible DOS attacker might craft requests to a Struts 2 based application with extremely long parameter names. OGNL evaluation of the parameter name then will consume significant CPU cycles, thus promoting the effectiveness of the DOS attack.

Solution

As of Struts 2.3.4.1, parameter name length is limited to a maximum of 100 characters. This configuration may be customized by providing the newly introduced parameter "paramNameMaxLength" to the ParametersInteceptor configuration.